Monday 10 August 2020

The Blackbaud Affair

A nasty little problem - you've maybe encountered it already - that's been creeping its way around the Not-For-Profits relates to the fact that, apparently, a high % of the sector uses Blackbaud CRM software.  I presume it's cheap.

And insecure.  For Blackbaud has been held to ransom by someone who's hacked it, and made off with its users' clients' details.  On a pretty large scale, it would seem.

A couple of interesting aspects.  Firstly, this has been known about for weeks.  But the speed with which Blackbaud's users have 'fessed up to their own clients has varied tremendously.  Very much a laggard in this regard is ... the Labour Party, who've only just acknowledged this to their members whose data had flown the nest.  Why so coy for so long, Mr Starmer?  What bad-news-management mode were you in when they first told you about it? 

Of wider import: Blackbaud gaily tell the world that "they have paid the ransom demanded by the cybercriminal and have received assurances that the data was destroyed as a result".  WTF?  Are those affected supposed to believe assurances from, errr, acknowledged criminals?  Why wouldn't said hackers not make multiple copies and sell to whomever will pay?

Or is there a binding international Ransom Protocol I've never heard of, with ISO standards for conduct, arbitration in the Hague, and certification by General de Chastelian?



david morris said...

O/T, ND,

Bristol City Council has sold the business portion of Bristol Energy for £1.34million.

The loss-making energy company has soaked up £35million of council tax payers’ money and posted official losses of £32.5million since it was set up five years ago.

The council announced today the sale of the firm’s business customers to a specialist business energy supply company, Yü Energy.....

Yü Energy.............who they ?

Nick Drew said...

Turnover of £100m, DM, and AIM-listed - so not miniscule

Business customers are VERY much easier to service and risk-manage than residential customers (until the coming recession starts to bite and credit becomes a big issue)

I've written about aspects of this here:

PushingTheBoundaries said...

At last, a topic I know of first hand. Tbf to many blackbaud customers, they weren't told until 2 weeks ago, hence the gradual releases of first academic, then the NT, then others. As you say ND, the scale of this is huge and the naivety of blackbaud simply astonishing.

A lot of their customers are formed from mom & pop small NfP's but they have also snared a few large ones.

And this hack has the potential to do a lot more real damage than simply posting a few tweets across some prominent accounts.

But perhaps to me, the most worrying part is that the sector itself seems to be rather relaxed about the whole affair. The main goto charity commentariat haven't really touched it, very few blogs - in fact this place is one of the few to highlight it at all. Which i think illustrates still how backward the UK NfP scene is in terms of understanding 'tech' and it's uses.

Spot on for bringing this to a wider audience.

Nick Drew said...

PushingTB - welcome. Feel free to pitch in anytime

everyone else does ...

E-K said...

Well.. not ALL the time !

Anonymous said...

Bet you regret joining the labour party now, ND.

Elby the Beserk said...

Blackbaud singing in the dead of night...

Anonymous said...

I have just been told about Blackbaud hack by Bletchley Park which is quite funny when you think about it.

Anonymous said...

Blackbaud's response was absolutely hilarious.

Problem with most businesses is that IT is a black box, even for many IT orientated businesses, shout at the black box and it gives results. It's not generally regarded as important as sales, which is why fines should offer an existential threat if breaches are repeated, along with the prospect of prison for persons of control. Focus minds and all that.

You operate under the prospect you will get hacked, and how to recover from a worst case scenario. So that's data encrypted at rest and in transit, passwords and similar one way hashed with salts, networks segmented and lots of backing up. Get pen testers in at least once a year, have processes so new developments are secure as standard.

A lot of that isn't expensive (although quality pen testing is), although if you're in a high volume, critical data situation it can be as you backup data at point of entry, but outside of IT, people generally don't care, until it happens.

James Higham said...

Thank goodness I’m not in that field.

andrew said...

This was in the register some time ago - 17 Jul.

I think BlackBaud are based in the US and some think their insurers paid out - or at the very least agreed.

There is a question over whether there is a GDPR issue here - it seem BlackBaud's servers are in Eruope. Detailed agreement may not be needed, but they need to properly secure the data.

dearieme said...

Dearieme's First Law of IT people: they are moderately clever but think they are tremendously clever.

It explains a lot.

Anonymous said...

DM is on the money with this one. CRM is a loss maker. It's not that expensive to mash up and then charge for the add-ons where the profit is made.

Perhaps Blackbaud are angling for a security add on, at a cost, for later versions.

Something smells.

PushingTheBoundaries said...

Anon @10:33 i quite agree

Andrew: it is most definitely a GDPR issue. Still unclear on whether CC details were obtained as well.

As always, the hacked are heavy on what they've done AFTER the fact and light on how the hack actually occurred and what was compromised.

Nick Drew said...

"Lessons have been learned. Steps have been taken to ensure it never happens again"

(© all NHS trusts)